asyncrat

General

Target

7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7
Size

11.7MB
Sample

221130-q15rwaeg73
MD5

8bd3bff5e679f6b14e42d7b66aa8497f
SHA1

76891d257c1a9ba36426b3e834b8eda6c5254ffc
SHA256

7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7
SHA512

05deb4c1c8fa09c07600dbb79b2ad35c1532f773b7ab28d18c833c8b63d7e076ce2e232bd13a2eb9abd1a2f3d1668d7802d0fa205f619222358d4368fb06a0df
SSDEEP

384:rMgQoufci5qP6TseVkeHD9xu+FyVQVhwfPl5SCuZacZ/LsytKY1Q39cYAYAwj7aW:6ro

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Katayumi

C2

normal-knife.auto.playit.gg:54950

normal-knife.auto.playit.gg:7707

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
ZxKKE4oK8.exe
install_folder
%Temp%

aes.plain

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Skidy

C2

roasted-flag.auto.playit.gg:51952

Mutex

VNM_MUTEX_bsVy5mHRmaFZMQOLbI

Attributes

encryption_key
ux20jjbixeS7PecgmZeq
install_name
windows.exe
log_directory
Logs
reconnect_delay
3000
startup_key
windows
subdirectory
$windows

Targets

- Target
  
  7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7
- Size
  
  11.7MB
- MD5
  
  8bd3bff5e679f6b14e42d7b66aa8497f
- SHA1
  
  76891d257c1a9ba36426b3e834b8eda6c5254ffc
- SHA256
  
  7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7
- SHA512
  
  05deb4c1c8fa09c07600dbb79b2ad35c1532f773b7ab28d18c833c8b63d7e076ce2e232bd13a2eb9abd1a2f3d1668d7802d0fa205f619222358d4368fb06a0df
- SSDEEP
  
  384:rMgQoufci5qP6TseVkeHD9xu+FyVQVhwfPl5SCuZacZ/LsytKY1Q39cYAYAwj7aW:6ro
Score

10^/10

asyncrat katayumi evasion rat trojan quasar skidy spyware
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Async RAT payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2